If you're a student or teacher in a computer science school of a big college, chances are good that you pick stronger passwords than your peers in the arts school. In turn, the arts students usually pick better passwords than those in the business school, according to research presented this week.

The landmark study is among the first to analyze the plaintext passwords that a sizable population of users choose to safeguard high-value accounts. The researchers examined the passwords of 25,000 faculty, staff, and students at Carnegie Mellon University used to access grades, e-mail, financial transcripts, and other sensitive data. The researchers then analyzed how guessable the passwords would be during an offline attack, such as those done after hackers break into a website and steal its database of cryptographically hashed login credentials. By subjecting the CMU passwords to a cracking algorithm with a complex password policy, the researchers found striking differences in the quality of the passwords chosen by various subgroups within the university population.

For instance, people associated with CMU's computer science and technology schools chose passwords that were more than 1.8 times stronger than those used by people in the business school. In between these two groups were people associated with the art school. Statistically speaking, passwords picked by computer science and technology users were only 68 percent as likely to be guessed as arts users and only 55 percent as likely to be cracked as people in the business school. Stated differently, the number of attempts required to successfully guess 100 arts school passwords in the typical offline crack would yield passwords for 124 people in the business school and 68 people in the computer science school.

The research paper, titled Measuring Password Guessability for an Entire University (PDF) is significant because it's among the few that have studied a statistically significant sample of passwords used for high-value accounts. By comparison, the findings of many previous studies have been less reliable because they analyzed smaller numbers of passwords, passwords taken from real-world database breaches, or passwords created for one-off accounts set up for research purposes.

"This kind of experiment can't tell us anything about why this effect is going on, just that it is," Michelle L. Mazurek, one of the researchers who wrote the paper, told Ars. (Disclosure: Mazurek is married to Ars Senior Gaming Editor Kyle Orland.) She continued:

So it could mean that business school users don't know how to make stronger passwords (that is, they are trying but aren't as good at it), or it could mean they are making less effort or care less about protecting their accounts, or something else entirely. I think in practice it means that some extra education may be needed either to help those users learn to make stronger passwords or to give them more motivation to make stronger passwords. In general I think if you are a sysadmin trying to bring up the strength of passwords across the organization, it gives you some sense of where to focus your efforts (at least in populations that somewhat resemble the CMU population).

Perhaps not surprisingly, the researchers also found that length and other password characteristics are strongly correlated to strength. With the addition of each lowercase letter or digit, for instance, a password is 70 percent as likely to be guessed. Adding special symbols or uppercase letters made passwords even stronger, reducing the likelihood of guessing to 56 percent and 46 percent respectively. The researchers go into additional detail:

Placing digits and symbols anywhere but at the end, which is the baseline for the regression, is also correlated with stronger passwords. Multiple characters spread out in more than one location are associated with the strongest passwords—only 20% and 30% as likely to be guessed as passwords with digits and symbols, respectively, at the end. Placing uppercase characters at the beginning instead of at the end of a password is associated with much weaker passwords: 88% more likely to be guessed.

The researchers also found that men in the study used slightly stronger passwords than women. Men's passwords were 92 percent as likely as women's to be guessed, meaning on average the number of attempts required to successfully guess 100 women's passwords would yield 92 passwords belonging to men.

The research also showed that people who pick stronger passwords have higher rates of failed login attempts and that users who report annoyance with CMU's stringent password policy picked weaker passcodes.

Promoted Comments

The landmark study is among the first to analyze the plaintext passwords...

So, how did they get all those plaintext passwords to study? Is CMU really keeping a database of unhashed passwords?

From the linked study:

Quote:

Plaintext passwords were made indirectly available to us through fortunate circumstances, which may not be reproducible in the future. The university was using a legacy credential management system (since abandoned), which, to meet certain functional requirements, reversibly encrypted user passwords, rather than using salted, hashed records. Researchers were never given access to the decryption key.

I'll agree with the premise that CS students know what makes a password strong or weak and business students don't. If they made a study and gave the CS students a dummy Forex account with leverage of 10:1 and ask them if this was a high or low leverage ratio, how do you think they'll fare? This is a matter of education. Of course, I won't ignore the elephant in the room: it's a lot more important that the business guy who might end up being responsible for other people's money understands the security of his passwords than it is for me to understand how Forex leverage works.

Well except the art students are the curve ball in that argument.

I have a theory. In CMU, the arts department has a lot of contact with the science (including CS) department. They even have Intercollege Degree Programs. Note that business isn't anywhere to be seen there. So, arts students might generally be in more contact with CS than business students. If you constantly hang out with people in the CS field, or even possibly taken CS, science, or mathematics courses as part of your degree, there's a good chance you at least pick up concepts like what makes a strong password. Of course the CS students will pick up some pieces of your knowledge too, but those aren't the focus of this particular article. This is just basic human interaction.

This is interesting for so many reasons. Is it suggestive of cognitive differences amongst students who self-select to study things that reinforce their interests or traits? For example, do business students tend to be be very "outcome oriented" and use certain heuristics to allocate where they focus their efforts that are different from those used by engineering and compsci students? I can see that. If students who self-select for business tend to be very "outcome oriented", then picking a password is merely a time-wasting obstacle to achieving an objective (what resides in the system protected by the password). Every cycle burned in coming up with a difficult-to-attack (yet easy to remember) passphrase is a cycle NOT focused on attending to the problem at hand.

To the CompSci student? It is an engineering challenge in itself: "What password creation algorithm can I use that will generate the most difficult-to-guess password, while remaining easy to remember? How about the first three letters of the first names of all of my cousins on my dad's side, in reverse chronological order?"

While an interesting study in and of itself (in terms of IT security and corporate controls design decision), to me the more exciting question is whether the choice of password signifies a deeper difference in cognitive style and heuristic use amongst people who self-select to different careers.

The landmark study is among the first to analyze the plaintext passwords...

So, how did they get all those plaintext passwords to study? Is CMU really keeping a database of unhashed passwords?

according to the full paper:

"The university was using a legacy credential management system (since abandoned), which, to meet certain functional requirements, reversibly encrypted user passwords, rather than using salted, hashed records. Researchers were never given access to the decryption key."

I'll agree with the premise that CS students know what makes a password strong or weak and business students don't. If they made a study and gave the CS students a dummy Forex account with leverage of 10:1 and ask them if this was a high or low leverage ratio, how do you think they'll fare? This is a matter of education. Of course, I won't ignore the elephant in the room: it's a lot more important that the business guy who might end up being responsible for other people's money understands the security of his passwords than it is for me to understand how Forex leverage works.

The landmark study is among the first to analyze the plaintext passwords...

So, how did they get all those plaintext passwords to study? Is CMU really keeping a database of unhashed passwords?

From the linked study:

Quote:

Plaintext passwords were made indirectly available to us through fortunate circumstances, which may not be reproducible in the future. The university was using a legacy credential management system (since abandoned), which, to meet certain functional requirements, reversibly encrypted user passwords, rather than using salted, hashed records. Researchers were never given access to the decryption key.

I'm working in IT and have a computer science master, but I use a very simple password with very simple variations on it everywhere. I don't want to have to worry about forgetting these passwords.But I read all these scary articles about password cracking, and I think it's more than due time to change my practice.

It seems that the best solution is an online password manager, and I know a few were recommended in Ars in past articles and their comments, but let me ask again, do you have _the definitive online password manager_ to recommend?

And also: I'm a bit worried about online password managers; they generate an impossible-to-crack password, that's great, but what happens when I'm out of internet? Let's say I live in a place with a so so internet connection, and where authorities are keen on locking internet access for whatever reason, I'm unable to log in anywhere, am I?

---Edit: forgot to mention, a simple variation of my simple password was in the Adobe database which was leaked a couple of weeks ago, so basically all the hackers worldwide can now pretty much connect to all of my accounts

It's interesting because they have a little bit of demographic data to attach to the plaintext records. There's no shortage of plain text passwords in the wild now, but there's rarely any demographics to go with them as far as I can tell.

The Institutional Review Board of any University may also balk at the idea that some security researchers are going to analyze passwords in the wild.

I'm working in IT and have a computer science master, but I use a very simple password with very simple variations on it everywhere. I don't want to have to worry about forgetting these passwords.But I read all these scary articles about password cracking, and I think it's more than due time to change my practice.

It seems that the best solution is an online password manager, and I know a few were recommended in Ars in past articles and their comments, but let me ask again, do you have _the definitive online password manager_ to recommend?

And also: I'm a bit worried about online password managers; they generate an impossible-to-crack password, that's great, but what happens when I'm out of internet? Let's say I live in a place with a so so internet connection, and where authorities are keen on locking internet access for whatever reason, I'm unable to log in anywhere, am I?

At the very least, you can make it portable, though it has no problem being installed on a machine and using a USB drive for the actual database. I imagine it wouldn't have a problem with the DB on a cloud server (Dropbox, and the like).

So, in academic settings, does this translate at all to private-sector business? I mean, some places actually take this serious and have password policies and hashing and salting.

I'll agree with the premise that CS students know what makes a password strong or weak and business students don't. If they made a study and gave the CS students a dummy Forex account with leverage of 10:1 and ask them if this was a high or low leverage ratio, how do you think they'll fare? This is a matter of education. Of course, I won't ignore the elephant in the room: it's a lot more important that the business guy who might end up being responsible for other people's money understands the security of his passwords than it is for me to understand how Forex leverage works.

I'm working in IT and have a computer science master, but I use a very simple password with very simple variations on it everywhere. I don't want to have to worry about forgetting these passwords.But I read all these scary articles about password cracking, and I think it's more than due time to change my practice.

It seems that the best solution is an online password manager, and I know a few were recommended in Ars in past articles and their comments, but let me ask again, do you have _the definitive online password manager_ to recommend?

And also: I'm a bit worried about online password managers; they generate an impossible-to-crack password, that's great, but what happens when I'm out of internet? Let's say I live in a place with a so so internet connection, and where authorities are keen on locking internet access for whatever reason, I'm unable to log in anywhere, am I?

---Edit: forgot to mention, a simple variation of my simple password was in the Adobe database which was leaked a couple of weeks ago, so basically all the hackers worldwide can now pretty much connect to all of my accounts

Keepass is the best solution for me, I'm sure everyone has their own preference though. It's not online, but runs on every system I've seen (OSX, iOS, Android, Windows, etc, including portable versions). I keep it on a pin drive, my desktop/laptop/phone, (etc again). Every now and then I sync the database from whatever device I'm on to the pin drives database and it automatically does a two way sync for whatever entries are newest. It's free, it's open source, you can define your own passwords. I really don't see any reason to put all my passwords (even encrypted) online, but if for some reason you do see the need, it can sync to dropbox.... check it out.

I tend to agree that CS students are more likely to understand how password security works... but what good is that knowledge and strength of password when they still write down their passwords on a sticky note and tap it to the palm rest of their laptops?

The landmark study is among the first to analyze the plaintext passwords...

So, how did they get all those plaintext passwords to study? Is CMU really keeping a database of unhashed passwords?

according to the full paper:

"The university was using a legacy credential management system (since abandoned), which, to meet certain functional requirements, reversibly encrypted user passwords, rather than using salted, hashed records. Researchers were never given access to the decryption key."

Yuck.

Unfortunately, this doesn't come as a surprise to me. I graduated from CMU in 2012 and their course management and related online facilities were exceedingly terrible, especially considering that CMU is well known for its computer science. Selecting classes was hilariously difficult, involving two separate websites and bad Javascript that opened course descriptions in a single window so you couldn't easily compare courses. There are <table>s and button-based navigation everywhere. It had a vibe of something that was written pre-millenium and no one wanted to break it.

EditThe main credentials were also used to unlock lab computers, which throws a wrench into using a password manager.

I also wonder, not only what percent of each used bad passwords, but how many reused the same passwords across every site (including whatever new system replaced this one). We'll probably never know, but that's usually where the real damage can be done.

I'll agree with the premise that CS students know what makes a password strong or weak and business students don't. If they made a study and gave the CS students a dummy Forex account with leverage of 10:1 and ask them if this was a high or low leverage ratio, how do you think they'll fare? This is a matter of education. Of course, I won't ignore the elephant in the room: it's a lot more important that the business guy who might end up being responsible for other people's money understands the security of his passwords than it is for me to understand how Forex leverage works.

Well except the art students are the curve ball in that argument.

I'm guessing the art students are the ones using phrases from old books and plays, like Ars described in this article. Certainly "less guessable" per this study's metric than your cat's name or password1, but still not amazing passwords.

I'll agree with the premise that CS students know what makes a password strong or weak and business students don't. If they made a study and gave the CS students a dummy Forex account with leverage of 10:1 and ask them if this was a high or low leverage ratio, how do you think they'll fare? This is a matter of education. Of course, I won't ignore the elephant in the room: it's a lot more important that the business guy who might end up being responsible for other people's money understands the security of his passwords than it is for me to understand how Forex leverage works.

Well except the art students are the curve ball in that argument.

I have a theory. In CMU, the arts department has a lot of contact with the science (including CS) department. They even have Intercollege Degree Programs. Note that business isn't anywhere to be seen there. So, arts students might generally be in more contact with CS than business students. If you constantly hang out with people in the CS field, or even possibly taken CS, science, or mathematics courses as part of your degree, there's a good chance you at least pick up concepts like what makes a strong password. Of course the CS students will pick up some pieces of your knowledge too, but those aren't the focus of this particular article. This is just basic human interaction.

This is interesting for so many reasons. Is it suggestive of cognitive differences amongst students who self-select to study things that reinforce their interests or traits? For example, do business students tend to be be very "outcome oriented" and use certain heuristics to allocate where they focus their efforts that are different from those used by engineering and compsci students? I can see that. If students who self-select for business tend to be very "outcome oriented", then picking a password is merely a time-wasting obstacle to achieving an objective (what resides in the system protected by the password). Every cycle burned in coming up with a difficult-to-attack (yet easy to remember) passphrase is a cycle NOT focused on attending to the problem at hand.

To the CompSci student? It is an engineering challenge in itself: "What password creation algorithm can I use that will generate the most difficult-to-guess password, while remaining easy to remember? How about the first three letters of the first names of all of my cousins on my dad's side, in reverse chronological order?"

While an interesting study in and of itself (in terms of IT security and corporate controls design decision), to me the more exciting question is whether the choice of password signifies a deeper difference in cognitive style and heuristic use amongst people who self-select to different careers.

People talk a lot about the two extremes: 1 password for everything on one end, and an external password manager that generates random strings for each site on the other.

Realistically, a simple tiered system works well enough: Just remember 3 passwords, for example: one really good one for the most critical services like e-mail and banking, a somewhat strong one for somewhat important services like shopping, and a simple, fast-to-type password for stuff that I frankly don't care about (I'm not going to lose any sleep if someone hijacks my Ars account--what will they do? Post comments using my username?). (I actually have 6 tiers, but I usually recommend 3 to people.)

The problem I'm running into with this is that more and more sites are coming up with stupid password policies. Must be mixed-case, must have a number, and all that other nonsense. These policies are fine for my stronger tiers, but really inane for, say, a web forum. So as a result, I now have a few variations of my "I don't care" password, and I sometimes run into the problem of forgetting which variation I used for a site.

I'm not sure what is the best way to create a password. I use acronyms of a phrase for each place I go to and then give it a bit of a l33t.

This is not my password phrase

becomes

timppb

becomes

t1mppb

Its a good idea to capitalize at least one so

t1mPpb

and they should be at least 8 characters long (I use more)

t1mPpb12

My original phrase is unique to where I am using it.

I don't know how strong this method actually is, but its worked. So far

Those are exactly the passwords easy for computers to guess and hard for humans to remember.

Mary had a little lamb.

^^That's a great password (unless the back end is 70s Cobol code like your online banking and they don't allow spaces or special chars). Add letters numbers and more special chars if you want to increase password entropy.

I tend to agree that CS students are more likely to understand how password security works... but what good is that knowledge and strength of password when they still write down their passwords on a sticky note and tap it to the palm rest of their laptops?

I had this history class I was taking as an elective and the girl who sat in front of me almost did this. What she did was have the login and password for every online site she used (bank included) on those desktop sticky note things they have in Windows 7. She had probably 10 of them on her desktop. A person could literally have taken a screenshot of her desktop and completely stolen her identity or cleaned her bank accounts out with basically no effort.

At my university, there is a class for the business school people in third year that teaches security with regards to technology. My friend who had to take it showed me the slides for it, and talking points included things like "Put a password on your phone so you can lock it", "Don't use your birthday as a password" and other things like that. I always thought that kind of stuff was common sense, but I guess that isn't the case. In my department, computer science, we have much more strict password policies, especially when it comes gaining remote access to department resources.

The flaw I see is that different people put different priority levels on different accounts. I straddle the line as an engineer who went to b-school.

My engineering school account which had access to drop me from classes, manipulate my assignments, and represented my identity had a secure password.My b-school account which had pretty much no access except to get (not turn in) class assignments had a very weak password. (There was a second account which *did* represent my identity, which had a stronger password)

Just because people assign something a weak password is not indicative that they do not use strong passwords. If you accessed my forum accounts, social media that never gets used, spam email addresses, etc, I use *terrible* passwords. Many of them are purely numeric. But when you get into my banking, email, and anything with my credit card, I use unique, individual passwords. It all depends on how much those people value those accounts, and maybe b-school kids didn't feel like their accounts needed that much protection for whatever reason.

I tend to agree that CS students are more likely to understand how password security works... but what good is that knowledge and strength of password when they still write down their passwords on a sticky note and tap it to the palm rest of their laptops?

I had this history class I was taking as an elective and the girl who sat in front of me almost did this. What she did was have the login and password for every online site she used (bank included) on those desktop sticky note things they have in Windows 7. She had probably 10 of them on her desktop. A person could literally have taken a screenshot of her desktop and completely stolen her identity or cleaned her bank accounts out with basically no effort.

At my university, there is a class for the business school people in third year that teaches security with regards to technology. My friend who had to take it showed me the slides for it, and talking points included things like "Put a password on your phone so you can lock it", "Don't use your birthday as a password" and other things like that. I always thought that kind of stuff was common sense, but I guess that isn't the case. In my department, computer science, we have much more strict password policies, especially when it comes gaining remote access to department resources.

I tend to agree that CS students are more likely to understand how password security works... but what good is that knowledge and strength of password when they still write down their passwords on a sticky note and tap it to the palm rest of their laptops?

I had this history class I was taking as an elective and the girl who sat in front of me almost did this. What she did was have the login and password for every online site she used (bank included) on those desktop sticky note things they have in Windows 7. She had probably 10 of them on her desktop. A person could literally have taken a screenshot of her desktop and completely stolen her identity or cleaned her bank accounts out with basically no effort.

At my university, there is a class for the business school people in third year that teaches security with regards to technology. My friend who had to take it showed me the slides for it, and talking points included things like "Put a password on your phone so you can lock it", "Don't use your birthday as a password" and other things like that. I always thought that kind of stuff was common sense, but I guess that isn't the case. In my department, computer science, we have much more strict password policies, especially when it comes gaining remote access to department resources.

Hi im Z1ggy and i have a text document with my username/passwords stored in my dropbox account. Im lazy/broke with bad credit who works as a state web developer.. I know i should use a better password keeper, but i cant work myself up to doing so(see previous statement about being lazy). My identity isnt worth the paper its printed on.

The flaw I see is that different people put different priority levels on different accounts. I straddle the line as an engineer who went to b-school.

My engineering school account which had access to drop me from classes, manipulate my assignments, and represented my identity had a secure password.My b-school account which had pretty much no access except to get (not turn in) class assignments had a very weak password. (There was a second account which *did* represent my identity, which had a stronger password)

Just because people assign something a weak password is not indicative that they do not use strong passwords. If you accessed my forum accounts, social media that never gets used, spam email addresses, etc, I use *terrible* passwords. Many of them are purely numeric. But when you get into my banking, email, and anything with my credit card, I use unique, individual passwords. It all depends on how much those people value those accounts, and maybe b-school kids didn't feel like their accounts needed that much protection for whatever reason.

How is your observation relevant to the study reported here? The passwords analyzed in the study protected accounts that had access to grades, financial records, e-mail and other highly sensitive information. I can't imagine any of the 25,000 study subjects considering this a low-value account. Isn't it safe to assume that the passwords analyzed in the study would be among the best the subjects would use anywhere?

They should be teaching password security in school. As computing power grows we'll need stronger passwords because honestly current encryption is not keeping up with the rate hackers are moving not even close.But right now I'm more worried about how my passwords are being protected on the other end. So many companies are ridiculously careless with personal data and that's a major cause for concern in a world ruled by technology.

Long random passwords should be the standard and no leet speak combined with personal data does not count.Passwords need to be replaced but just like everyone else I don't have the slightest clue of how it could be done securely.

They should be teaching password security in school. As computing power grows we'll need stronger passwords because honestly current encryption is not keeping up with the rate hackers are moving not even close.But right now I'm more worried about how my passwords are being protected on the other end. So many companies are ridiculously careless with personal data and that's a major cause for concern in a world ruled by technology.

Long random passwords should be the standard and no leet speak combined with personal data does not count.Passwords need to be replaced but just like everyone else I don't have the slightest clue of how it could be done securely.

Maybe we should be teaching better memory because that's basically the barrier all these password schemes are going to run up against.

I'm curious how old some of the passwords are - it seems like it's only been in the last 3-4 years that there has been serious discussion of PW security among educated laypeople (i.e., many of the people who read tech sites), so it would be interesting to know if pws from today are better than PWs from 5 years ago.

I tend to agree that CS students are more likely to understand how password security works... but what good is that knowledge and strength of password when they still write down their passwords on a sticky note and tap it to the palm rest of their laptops?

Well, it's not smart practice really, but the attack vector for this sorta thing comes via the internet, not from physical presence, usually.

Explanation: arts dudes have nothing worth protecting, business oiks are retarded.Explanation 2, taking into account the other categories indicated in the graph: password creativity is proportional to intelligence.

One big problem with passwords: people. This is something that most administrators deal with on a regular basis. The more complex the password (and usually the more difficult to type easily and to remember), the more likely it is that a user will store it somewhere (i.e. a post it note) to remember. The more often you require users to change it the more likely that they will merely append a number to the end of a sufficiently complex password (i.e. P@ssw0rd1, P@ssw0rd2, etc).

There better way to enforce security: Two factor auth (like RSASecurid + pin) or bio-metrics. In my company I have been issued a Securid dongle for VPN access. It seems stupid to me that that same dongle isn't used for auth into other systems. I know that Active Directory is capable of this, for example. The same with bio-metrics. I had a laptop with a fingerprint scanner, and it also had a cryptocard slot. Yet I still had to type in a password because the company wasn't smart enough/equipped to use what they actually issued.